Lately, there is a lot of disagreement related to why people who have various types of antivirus solutions in place, still get infected by ransomware. Experts’ opinions on the matter vary, some say antivirus is obsolete and should evolve into something else, like ransom antivirus, while others advocate for multi-layered ransomware protection strategies that include several solutions and activities. Most security vendors have functionality that in some marginal way helps with ransomware prevention but far from offering an appropriate solution. Things like patch management, log management, file monitoring, user behavior analysis may help under certain circumstances to various degrees but none offer adequate ransomware protection on its own. For example, appropriate patch management could stop WannaCry from spreading, but it does not stop the original WannaCry infection, nor other ransomware. Similarly, log management, file monitoring, user behavior analysis may help to detect a ransomware infection, but not fast enough and they cannot stop it.

The main issue with ransomware is the fact that it is not designed like a common virus. Not by the behavior it generally exposes. In the end, it mimics user behavior very well; it reads files, writes information to the disk and removes files. Just like all of us do on an average day. Some newer variants also have worm-like capabilities exploiting vulnerabilities to proliferate, and all of them usually have obfuscation technology in place, enabling them to elude classic antivirus detection and making reverse engineering very difficult.

Antivirus solutions rely on various technologies to provide ransomware protection and stop the malicious process before it executes, but all may be bypassed, especially by zero-day variants.

Classic antivirus

Signature-based detection does not catch zero-day threats nor targeted attacks with custom variants. Also, it requires constant updating, and there is a significant time gap between when the attacks start to proliferate, the AV team learns the signatures, and the end user updates the antivirus signature database. During this period, you are vulnerable. However, signature-based detection stops known ransomware before it damages files, thus delivering some ransomware protection;

Sandbox analysis is another technique used by AV solutions – it allows the ransomware to execute in a controlled environment that simulates the operating system so that its actions are noted, and a decision is made by the AV solution, on if to allow the process to execute on the real operating system. However, advanced ransomware has environmental awareness and detects sandbox and virtualized environments. Hence, the ransomware does not perform any action while in a sandbox, thus eluding this technique;

Heuristics allow AV technologies to detect malware based on its behavior. This method involves machine learning via rules and statistical weights in sophisticated algorithms. However, this only works in time and only with proper training. Antivirus solutions do not have the technology to extract behavioral information relevant to ransomware because it cannot distinguish it from the regular users. Hence heuristics cannot be trained well against ransomware, but it may perform well against malware or ransomware that uses worm-like capabilities;

Automatic reverse engineering – usually part of Heuristics and involves decompiling and analyzing ransomware source code or its in-memory activity, on the fly. However, most ransomware includes obfuscation and protection technologies that prevent antivirus solutions to use this technique, thus the ransomware protection is marginal when dealing with advanced ransomware;

Application whitelisting – this method only allows authorized applications to execute and efficiently blocks all other processes. However, there is script-based ransomware that uses an authorized application to perform the encryption process (command line scripts, or MS Word macros), thus bypassing the whitelisting technology. Next, there is fileless ransomware that hooks on system processes like the Service Host process, thus being able to execute in spite of application whitelisting. Last, there are ransomware exploiting vulnerabilities of authorized applications such as the browsers, which also bypasses this technique. Application whitelisting provides some ransomware protection but cannot stop several types of ransomware.

In turn, anti-ransomware solutions implement ransomware protection by attempting to detect ransomware as it performs malicious activity. This approach involves different technology and yields better results regarding accuracy and protection against zero-day threats. However, it means that some files are encrypted before ransomware is detected and stopped. To eliminate this disadvantage, there are anti-ransomware solutions that provide data protection and the ability to recover the files lost during the detection process. Advanced ransomware protection tools also provide real-time backup capabilities and data safeguarding in impenetrable repositories, allowing file recovery even in the case of a successful ransomware infection. All these make dedicated anti-ransomware solutions better than the antivirus counterparts at detecting and protecting against ransomware.

For good enterprise ransomware protection, antivirus and anti-ransomware should be used together to eliminate known threats before they execute and contribute to ransomware prevention, reduce the chance of ransomware infection and ultimately provide effective ransomware protection, especially against zero-day ransomware variants.

How we can help

Our dedicated solution TEMASOFT Ranstop, is an anti-ransomware software that detects present and future ransomware, based on file access pattern analysis with a high degree of accuracy. At the same time, it protects user files so that they can be restored in case of malware attacks or accidental loss. TEMASOFT Ranstop is at the core of any multi-layered security strategy designed to protect against ransomware.

For more information, follow us on social media and subscribe to our newsletter.

Interesting article. I am also keen to see how anti-ransomware technology evolves and how it fits environments where antivirus solutions are already in place. It is likely many antivirus solutions will start integrate anti-ransomware technology and offer a single solution to the ransomware protection problem.

Indeed there are several ways in which proper ransomware protection may be delivered, inclusion of anti-ransomware technology into antivirus is one of them, but at the same time, antivirus technology may be included in anti-ransomware solutions as well. Then there are combinations that may rely on anti-ransomware and backup software, that work alongside antivirus (as TEMASOFT Ranstop is).